topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:30 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Be prepared against ransomware viruses..  (Read 44464 times)

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #25 on: June 27, 2015, 09:40 PM »
Are there any fast global checks? Like are the ransomed files renamed to some bizarre file extension, or just ".zip" (that happens not to be unzippable)? So then you could put a list of all sane file extensions somewhere, and then some kind of deep background process that says "hey, if you find yourself creating anything evil, stop all activity and holler"?



The one I encountered turned every image, office document, email, and html file into a .EXX added on to its normal extension.

I literally had dodged a bullet with it- the night before I had noticed it acting funny and kicked it off the network suspecting malware. Next morning it had the cryptolocker ransome notice up and while it still ran all of the documents on it had been encrypted.

If I had left it alone it would have tried to encrypt everything it could reach on the fileserver.


bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #26 on: June 28, 2015, 12:27 AM »
Does anyone know of any mainstream security software that uses a "honeypot" approach of watching for certain files being modified?  i.e. which tries to catch these kinds of ransomware evils by catching and killing them as soon as they try to modify a document that the security software knows should never be changed/deleted.
I don't even understand the procedural explanation on this, let alone the technical end, but it does mention your keyword honeypot:
Tarpit tool sticks it back to teenage mutant Nimda worm
"The tool, called LaBrea, creates a tarpit ("sticky honeypot") by making use of unused IP addresses on a network and creates "virtual machines" that answer to connection attempts

LaBrea answers those connection attempts generated by worms in a way that causes an infected machine at the other end to get "stuck", sometimes for a very long time."
article date - Sept 21, 2001

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #27 on: June 28, 2015, 03:30 PM »
I remember LaBrea.  The original author almost abandoned the project, citing potential legal action against him because the nature of LaBrea goes against certain provisions of the Federal Wiretap Act, namely:
Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection…

Basically, LaBrea does exactly that; intercepts electronic communication.  How that actually would play out in the courts is another matter, as TechRepublic's John McCormick pointed out back in 2003:
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any lawyer will tell you that the law has little or nothing to do with common sense.

I think the honeypot concept mouser is talking about involves more of a "mousetrap" aspect; an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify, but is in fact actively monitored by said 'honeypot' application such that when the file or network is accessed, the process doing the access is immediately targeted and shut down.  Sounds like a good idea to me; how to implement?  Beyond me.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #28 on: June 28, 2015, 03:31 PM »
I think the honeypot concept mouser is talking about involves more of a "mousetrap" aspect; an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify, but is in fact actively monitored by said 'honeypot' application such that when the file or network is accessed, the process doing the access is immediately targeted and shut down.

exactly.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #29 on: June 28, 2015, 06:03 PM »
What about the vector?  You said that the relative was pretty pc savvy... I'm just wondering what got him.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #30 on: June 28, 2015, 06:24 PM »
Unknown.  However, while they are relatively pc-savvy, they have been, until now, very cavalier about security.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #31 on: June 28, 2015, 08:41 PM »
I remember LaBrea.  The original author almost abandoned the project, citing potential legal action against him because the nature of LaBrea goes against certain provisions of the Federal Wiretap Act, namely:
Any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication…intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection; intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection…

Basically, LaBrea does exactly that; intercepts electronic communication.  How that actually would play out in the courts is another matter, as TechRepublic's John McCormick pointed out back in 2003:
You probably think that this is a really stupid idea—the concept that you could be violating the law merely by monitoring what a trespasser does on a system you own. But that’s just your common sense speaking, and any lawyer will tell you that the law has little or nothing to do with common sense.

I think the honeypot concept mouser is talking about involves more of a "mousetrap" aspect; an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify, but is in fact actively monitored by said 'honeypot' application such that when the file or network is accessed, the process doing the access is immediately targeted and shut down.  Sounds like a good idea to me; how to implement?  Beyond me.
Yes, I made a note of highlighting the LaBrea article's prehistoric date, partly in hopes that an updated version might address such legal or technical concerns.
But I knew it was a long shot from the get-go.
Mouser's thread at least made me aware of the danger, to the point that I've added a second backup DVD for work I do, that I keep physically removed from my machine.

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #32 on: June 29, 2015, 03:12 AM »
an application places a special file or fake network connection that looks (to a ransomware program) like something it would want to access and modify...
How to implement?

Is it perhaps called virtualization?

"A refrigerator without beer is like a body without soul"

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #33 on: June 29, 2015, 03:12 AM »
Reading your messages I get perplexed. You talk about things that already exist for many years.
"A refrigerator without beer is like a body without soul"

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #34 on: June 29, 2015, 03:52 PM »
Reading your messages I get perplexed. You talk about things that already exist for many years.
Hi Giampy, your next post will be your 400th, in case you might want to go to the;
When you make your 100'th Post thread
and make your 400th post there.  :Thmbsup:

^Yes, if you meant me, the keywords 'already exist for many years', 'LaBrea', and 'prehistoric' made for a string with some unintentional dry wit.  ;D
« Last Edit: June 29, 2015, 03:59 PM by bit »

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #35 on: June 29, 2015, 03:55 PM »
Reading your messages I get perplexed. You talk about things that already exist for many years.

Are you talking about the thread in general?  It was a reminder for those that may have been getting slack with their restoration plan.

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #36 on: June 29, 2015, 04:15 PM »
Mine was an observation only. No sarcasm behind it. Continue serenely your discussion.
"A refrigerator without beer is like a body without soul"

hverne

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 7
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #37 on: July 02, 2015, 02:10 PM »
Another good tip - do NOT run as an administrator.  Set up another Admin account and delete privileges from your account.
Then, when you get a UAC popup, you will have to enter the admin PW rather than just hitting enter.

MerleOne

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 957
  • 4D thinking
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #38 on: July 02, 2015, 04:41 PM »
I found this :
http://easysyncbacku...CryptoMonitorDetails, free currently (until the newest version is released).  Of course when the PC is already under attack it's too late.  Did not try it yet.
.merle1.

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #39 on: July 02, 2015, 09:30 PM »
The conspiracy theorists among us would put forward that the new commercial tools available to specifically prevent Cryptoware were written by the people that created it in the first place.

Constant revenue stream and big panic extortion payoffs - win-win situation  ;)

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #40 on: July 03, 2015, 02:43 PM »
Another good tip - do NOT run as an administrator.  Set up another Admin account and delete privileges from your account.
Then, when you get a UAC popup, you will have to enter the admin PW rather than just hitting enter.

Yes, but it may be boring. I instead prefer to be administrator and then I start critical programs (like the browser) with limited privileges, for example by DropMyRights.
Convenience and safety at the same time.
"A refrigerator without beer is like a body without soul"

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #41 on: July 03, 2015, 04:19 PM »
^ That's nice!  Thanks!

Giampy

  • Participant
  • Joined in 2009
  • *
  • Posts: 444
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #42 on: July 03, 2015, 05:57 PM »
However we are talking about ransomware and I fear ransomware can't be stopped by limited privileges. Encrypting data is not a system operation, so I think ransomware are allowed to do it even if privileges are low.
I think limited privileges are useful against other kinds of malware only.
"A refrigerator without beer is like a body without soul"

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #43 on: July 04, 2015, 09:12 AM »
However we are talking about ransomware and I fear ransomware can't be stopped by limited privileges. Encrypting data is not a system operation, so I think ransomware are allowed to do it even if privileges are low.
I think limited privileges are useful against other kinds of malware only.

It can be stopped by limited privileges from accessing backups on the network and other machines.  Which was the most tragic part of the incident in the OP.

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #44 on: July 04, 2015, 05:45 PM »
However we are talking about ransomware and I fear ransomware can't be stopped by limited privileges. Encrypting data is not a system operation, so I think ransomware are allowed to do it even if privileges are low.
I think limited privileges are useful against other kinds of malware only.

It can be stopped by limited privileges from accessing backups on the network and other machines.  Which was the most tragic part of the incident in the OP.

Not necessarily.

Mapped network drives can be created and accessed by users without administrative access unless a group policy exists saying otherwise.

And Windows also allows users to access removable devices regardless of administrative access. Including any remote network filesystem that it has read-write access to.

Messing with user privilege would not have any impact at all on the speed of ransomware encrypting files unless that user privelage change also had associated restrictions on CPU and IPOS resource consumption.


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #45 on: July 04, 2015, 09:13 PM »
However we are talking about ransomware and I fear ransomware can't be stopped by limited privileges. Encrypting data is not a system operation, so I think ransomware are allowed to do it even if privileges are low.
I think limited privileges are useful against other kinds of malware only.

It can be stopped by limited privileges from accessing backups on the network and other machines.  Which was the most tragic part of the incident in the OP.

Not necessarily.

Mapped network drives can be created and accessed by users without administrative access unless a group policy exists saying otherwise.

And Windows also allows users to access removable devices regardless of administrative access. Including any remote network filesystem that it has read-write access to.

Messing with user privilege would not have any impact at all on the speed of ransomware encrypting files unless that user privelage change also had associated restrictions on CPU and IPOS resource consumption.


-SeraphimLabs (July 04, 2015, 05:45 PM)

It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #46 on: July 05, 2015, 08:52 AM »
Pardon the interruption, but...
It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.

Wasn't Code Red a worm that attacked unsecured IIS servers that were running by default in Win2k? I don't recall share hopping being part of its MO.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #47 on: July 05, 2015, 10:50 AM »
Pardon the interruption, but...
It indeed has helped me before with the code red virus.  I'd given read only access to my backup directory, and was doing a lower tech version of removing privileges in order to access my network drives.  I was glad that I did.

Wasn't Code Red a worm that attacked unsecured IIS servers that were running by default in Win2k? I don't recall share hopping being part of its MO.

Yeah... my fault.  It was something else during that time that basically propagated itself by re-writing parts of files.  I forget the name at this point- but it was some nifty name.  As I only accessed the shares in question by administrative share, and used another account (admittedly admin on my box) the infection was contained.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #48 on: July 14, 2015, 12:25 PM »
FWIW, found this vid on YT called Script Kiddie Logs into a Honey Pot.
Published on Oct 10, 2012
quote: "I'm running a honeypot using Kippo and someone managed to guess the password (hint: it was password) and played around a bit. As this video shows, he doesn't seem to know much of what he's doing - he misspells many commands, gets frustrated, and finally just deletes the entire filesystem. His IP placed him in southern China."
« Last Edit: July 14, 2015, 12:33 PM by bit »

MerleOne

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 957
  • 4D thinking
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Be prepared against ransomware viruses..
« Reply #49 on: April 21, 2016, 08:34 AM »
Interesting to read that there is no real decryption, just the use of backup and other solutions to recover files !
.merle1.